CyberWire Daily - Hostinger resets passwords after an intrusion. Social media fraud. Notes on RATs and ransomware. Free decryptor for Syrk. Hedge funds go bananas.
Episode Date: August 27, 2019Hostinger resets passwords after a breach. Arkose finds that more than half the social media logins they investigated during the recent quarter were fraudulent. US State governors seem likely to call ...on the National Guard to help with cyber incidents. A new phishing campaign is distributing the Quasar RAT. A new ransomware strain, Nemty, is out in the wild. Fortnite account encrypted? Emsisoft can help. And who knew that hedge funds liked bananas. David Dufour from Webroot on company cyber security assessments. Carole Theriault speaks with Omar Yaacoubi from Barac on the growth in encrypted hacks, and how they use metadata to detect and analyze them. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/August/CyberWire_2019_08_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hostinger resets passwords after a breach.
Arcos finds that more than half the social media logins they investigated during the recent quarter were fraudulent.
U.S. state governors seem likely to call on the National Guard to help with cyber incidents.
A new phishing campaign is distributing the Quasar rat.
A new ransomware strain, Nemty, is out in the wild.
Has your Fortnite account been encrypted?
Emsisoft can help.
And who knew that hedge funds liked bananas?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday,
August 27, 2019. Web hosting provider and domain registrar Hostinger reset user passwords over the weekend after determining that unauthorized
parties had gained access to databases in its internal systems. About half of the company's
29 million users may have had their information exposed in the breach. The breach is thought to
have occurred last Thursday when an intruder tripped an alert that a server had been improperly
accessed. Using an access token found on the server,
the attacker gained access to an API database
that contained customer usernames, email addresses, and passwords.
These were all hashed with SHA-1,
which is good, but not nearly as it might have been
since SHA-1 is vulnerable and has been deprecated.
Hostinger has since moved to the stronger SHA-2 algorithm.
The company says no financial information was exposed, but the compromise is worrisome and
customers were told to reset their credentials. It seems there's lots of fraud in social media.
Now, saying that social media are rife with fraudulent activity will of course surprise no one,
but the scale of the fraud is surprising.
Arcos Labs' Fraud and Abuse Report for the third quarter claims that over half the logins they investigated were fraudulent.
The company analyzed more than 1.2 billion logins in the financial services, e-commerce,
travel, social media, gaming, and entertainment sectors to reach this conclusion.
The national center of gravity for social media fraud also seems to have shifted,
with the Philippines now the clear leader in the origination of such traffic.
The U.S. is a distant second, with Russia, the U.K., and Indonesia as also rands.
Recent attacks on U.S. local governments
suggest that one of the threats to expect during the 2020 elections
will be ransomware.
Reuters reports that CISA is working to help secure
voter registration databases in particular against this form of attack.
State Scoop sees the National Guard assuming a role in ransomware defense.
U.S. Air Force General Joseph Lengel,
currently chief of the National Guard Bureau,
said late last week that the recent incidents in Texas and Louisiana have amounted not exactly to a cyber hurricane, but to a major cyber storm.
In both states, the governor's called on the National Guard for help.
He expects this to become more common,
and as states and municipalities are hit
by hacking, they're likely to call out the Guard. CoFence researchers have detected a sophisticated
phishing campaign distributing the Quasar remote-access Trojan. Quasar is a widely available
commodity rat, but the campaign distributing it is not just some off-the-shelf crimeware.
but the campaign distributing it is not just some off-the-shelf crimeware.
CoFence says the email vectors have proven unusually adept at evading detection and avoiding analysis.
Bleeping Computer reports research by Vitaly Kremens that outlines a new strain of ransomware, NEMTI.
It appears to spread via remote desktop protocol.
RDP would give an attacker more control over the attempt than the more commonplace email vector.
NEMTY is an odd duck in terms of some of its features.
There are embedded references, for example, to Russian President Vladimir Putin,
although it's unclear from the reports whether these are complementary or derogatory.
And the code checks for systems in Russia, Belarus, Kazakhstan, and Tadzikistan,
but apparently not to avoid infecting machines in those countries, as is so often the case.
It's common practice these days for the baddies to encrypt their code, which can make it difficult
for defenders to analyze and detect what they're up to.
Carol Terrio spoke with some folks in the UK
who are taking a novel approach.
So meet Omar Yakoubi.
He heads up a UK company named Barrick.
Now, Barrick specializes in detecting encrypted traffic
by using machine learning and behavioral analytics
to analyze not the contents,
I mean, it's encrypted, remember,
but by looking at the metadata that is holding that encrypted content. Now, that sounds pretty
neat. I asked Omar to come and chat with us about this technology and to help us understand how it
can help us beat even the most privacy-aware bad guys at their own game.
Omar, thanks so much for coming on the show.
Now, it seems you and your guys at Barrick uncovered a sophisticated cyber attack
targeting a major African-headquartered financial institution.
Now, what were the bad guys up to?
Can you set the scene for us?
Yeah, so the team, the scoring we do what we call
scoring engine so we score every connection uh encrypted connection and the scoring engine in
the scoring engine in this case scored several uh connection as high so the team went to look
to take a look at those metadata and those connections coming out of the bank,
we found that suspicious activity around certificates, around different information.
So when we took a look at more details, we found out that it was a sophisticated attack and exfiltration associated to North Korea in this case.
And so just to be clear, what you're saying is the data
was encrypted. So you guys aren't actually seeing what's inside or what's being shared, but just the
pattern of traffic had changed. And that was enough to alert you guys that something weird was going
on? Yes. So we don't see the data itself. We look at what we call the metadata related to the traffic.
And by looking at those metadata, we've been able to spot abnormality within those metadata.
So certificate information contained the word NK, for example, that was associated to North Korea.
The traffic was going to a country in Eastern Europe.
The size of the packets were always the same. The cipher suits used and proposed and used were always the same.
So all those combined together were raising flags as abnormal behavior within that financial institution.
Now, you guys were working with this financial institution and you were able to presumably spot this and put a stop to it. Is that right?
Yes. So we spotted this early enough using our beaconing engine to be able to block that traffic
and investigate, dig in more into detail. So we sandboxed that suspicious IP with the help of
the banking team and some of the partners. And then we discovered that it was a command and control, advanced command and control traffic that were taking place with the full audit of
the logs and information. So the people that were behind it were trying to do small transactions
on their Swift account to be able to extract those money and send the money to suspicious servers.
You know, it's almost ironic, isn't it? Because they were obviously doing small transactions to
evade detection. But in trying to do that, their metadata actually changed pattern. And that is
what actually alerted you to the problem. Yes, exactly. So even if you try to do some advanced detection or advanced attacks, the metadata still give us a clear indication on what you guys are doing, especially when you associate that with powerful machine learning that learn from the behavior of the bank, the people within the bank, the transaction, the traffic, understand what's normal and therefore be able to detect all those abnormality or all those things going wrong
within within the bank or within any other customer now tell me is this a unique example
have you never seen anything like this before um we never seen such an advanced type of attack
before uh all the certificate information were good all all the certificate was legit, the server were legit,
never been flagged before, the encryption used was moderately strong. So all that combined together shows that the hackers are also, especially population hackers, are moving
toward encryption and are moving toward hiding all those traffic behind encryption.
Well, Omar, on behalf of banking customers worldwide,
we thank you for fighting the good fight.
And thank you for coming on the show and making the time to speak with us.
Thank you very much.
This was Carol Theriault for The Cyber Wire.
Emsisoft has a free decryptor available for the Cirque ransomware
that bamboozled Fortnite players looking for methods of cheating.
Don't look for cheats, friends, and earn your skins and loot boxes legitimately.
But if you were infected, Emsisoft has your back, and bravo Emsisoft, we say.
The Washington Post conducted a quick experiment to see who received data generated in credit card transactions,
what kind of data interested them, and what they did with the data once they had them. a quick experiment to see who received data generated in credit card transactions, what
kind of data interested them, and what they did with the data once they had them.
Technology columnist Jeffrey A. Fowler went to Target and bought a couple of bananas,
29 cents each, with a Chase Amazon Prime Rewards Visa, and another with an Apple Card.
He says he found that, quote, six unsurprisingly, he found it difficult to determine just who had his data and what they were doing with the data.
Some data consumers were obvious, like Target itself, Amazon, Google, and other marketers.
But others were surprising, to us anyway, like hedge funds.
Who knew hedge funds were so interested in purchases of fruit,
even one so rich in beneficial potassium as the banana?
And note Mr. Fowler's observation about the effective impossibility
of determining to whom the data collectors might have passed or sold their take.
He contacted some of the businesses who were interested in his information
and says he generally got the EULA-style verbal misdirection behind which companies retreat
as an octopus cloaks himself in ink to make a clean getaway.
Or in other cases, they just didn't reply.
they just didn't reply. with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is David DeFore.
He's the Vice President of Engineering and Cybersecurity at WebRoot.
David, it's always great to have you back.
I wanted to touch today on cybersecurity assessment,
sort of taking stock and measuring where you are as an organization.
I know you have some specific thoughts about this.
You know I do, David. Great to be back as always. You know, a lot of times people say
cybersecurity assessment and they're thinking, you know, the CISO or the risk coordinator coming
down from the top and saying, you know, we've got to look at this or we've got to look at that.
But in this instance, I'm really talking about your technology teams, your software engineers,
your IS team, your network support
folks, and how do you put some processes in place that help those teams, one, assess themselves on
their security posture, and two, allow those external resources like the CISO or the risk
folks come in and analyze how these teams are doing. So what is a self-assessment provide you that's
different from someone coming in from outside? A couple of things. One, a self-assessment set up
properly with, we have a lot of agile teams and those agile teams do spend time doing self-assessments.
The biggest thing that it does, honestly, is get buy-in from the teams on why this is important.
And it helps them work closer
with the security folks, the CISO, et cetera, to be able to really buy into the whole security
process and why it's important. That's just from the buy-in perspective. But how it plays out in
practicality is what we do is we try to put some parameters in place on trying to have small code
bases, the smallest code base you can
for development teams, larger code base, a larger footprint for an attack. We analyze the way that
they're doing development, what type of maybe open source they're using and the risk that that may
have. And in this effort, we're giving the team's parameters to analyze the choices they're making
and the choices their
teammates are making. So as a team, they can work together because there's a lot of pride in being
the best rated secure engineering team here. It's interesting that you mentioned how, you know,
the teams have a say in the process itself, that they've got a part in deciding how we're going to
measure things internally. That's exactly right. And again, about buy-in, and let me tell you, David,
working at a cybersecurity company,
the engineering teams, I mean,
I feel bad for the CISOs here
because they come in and try to tell
a bunch of cybersecurity engineers what to do.
And you want to talk about getting pushback,
but what this does is help them really have that buy-in
and really apply the knowledge they have on hacking and attacks to their development processes, makes the whole organization more secure.
But it really is fundamentally working with both the CISO and getting the teams bought in to figure out how to provide those standards and what it is they should be looking for.
looking for, because if you do it at the point of development or the point technology is implemented, you're going to have a lot stronger security posture than if you're trying to
do it from the top down.
I would imagine also that if you compare your own internal assessment to an external
assessment, that could be really insightful for seeing is the way you view yourselves
differently than perhaps the way other people view you?
That is another great point in that it brings value to the table when there is the external assessment.
Someone comes in and looks at us because you're also now ready to have that dialogue.
When someone says externally, hey, this doesn't look right or this is maybe a miss on your part, the team can say, you know what, that is a miss and we're sorry.
Or they can say, you know what,
we've thought about that
and this is why we've made choices around that.
And they can have a really good dialogue.
To be honest, assessors like it
because they now feel like they're working
with someone that's really invested
and that understands what they're trying to do.
And you just end up with a better,
more secure posture in your technology stack.
All right. Well, David DeFore, thanks for joining us.
Great being here, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your